chore: update net to v0.47.0 in pvcviewer-controller

[asaadbalum]

Description

Update golang.org/x/net from v0.24.0 to v0.47.0 in the pvcviewer-controller to fix security vulnerabilities and align with other components (per reviewer feedback to match PR #786).

CVEs Fixed:

• ✅ CVE-2025-22870
• ✅ CVE-2025-22872

Related Issue: Closes #782 (PR 1)

---

Changes

Updated dependencies in components/pvcviewer-controller/go.mod:

Dependency	Old Version	New Version
golang.org/x/net	v0.24.0	v0.47.0
golang.org/x/sys	v0.19.0	v0.38.0
golang.org/x/term	v0.19.0	v0.37.0
golang.org/x/text	v0.14.0	v0.31.0
golang.org/x/tools	v0.20.0	v0.38.0

Note: The additional golang.org/x/* packages are transitive dependencies of golang.org/x/net. They were automatically updated by go mod tidy to maintain compatibility.

---

Testing

Local Build & Tests

Test	Result
go mod tidy	✅ Pass
go vet ./...	✅ No issues
make manager	✅ Builds cleanly
Unit tests (10/10)	✅ 65.4% coverage

CVE Verification (Trivy Scan)

=== Checking CVE-2025-22870 (x/net) ===
NOT FOUND - FIXED ✅

=== Checking CVE-2025-22872 (x/net) ===
NOT FOUND - FIXED ✅

=== Current golang.org/x/net version ===
golang.org/x/net v0.47.0 // indirect

---

Acceptance Criteria

• Run go mod tidy to ensure dependencies are clean
• Run make manager to build the controller
• Run unit tests to verify functionality
• CI workflows pass (unit, integration, multi-arch tests)
• Deploy to notebooks-v1 cluster and verify PVCViewer component
• Verify CVEs are fixed via Trivy scan

Signed-off-by: Asaad Balum asaad.balum@gmail.com

[andyatmiami]

Hey @asaadbalum - sorry there has been a delay in reviewing this work.

appreciate you opening this to improve our security posture - but do you mind looking into this one (hopefully trivial) suggestion I have.

note that if incorporating my suggestion causes any issues/additional complexity - feel free to simply document why this isn't feasible and we can continue to get this merged as-is.

[andyatmiami]

Given #786 is upgrading x/net to v0.47.0 - can we also upgrade to that version here to loosely try to keep versions aligned as we focus on dep upgrades?

I make this suggestion partly b/c in analyzing the deltas across 0.38.0 -> 0.47.0 - I don't see anything in the change logs that would make me think this is anything except a trivial update.

thanks!

[andyatmiami]

/ok-to-test

[asaadbalum]

Thanks for the review @andyatmiami!

I've updated the PR to use golang.org/x/net v0.47.0 as suggested to align with PR #786.

Changes made:

• Upgraded golang.org/x/net from v0.38.0 → v0.47.0
• Transitive dependencies updated automatically via go mod tidy

Local verification:

• ✅ go mod tidy - clean
• ✅ make manager - builds successfully
• ✅ Unit tests - 10/10 passed (65.4% coverage)
• ✅ Trivy scan - CVE-2025-22870 and CVE-2025-22872 are fixed

Ready for another look!

[andyatmiami]

/lgtm

thanks @asaadbalum for this contribution.

i independently confirmed the verification checks performed by the PR author are reproducible and valid.

furthermore, in analyzing the changes introduced across the significant version bumps of upgraded dependencies, I am comfortable with them being safe for our usage.

• x/net: critical functional changes revolve around usage of html parsing and/or HTTP/2 server which doesn't apply to our usage

• x/sys | x/term | x/text | x/tools : less controversial changes that reasonably verified by the application continuing to build

[thesuperzapper]

Thanks everyone, looks good.

/approve

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: thesuperzapper

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• components/pvcviewer-controller/OWNERS [thesuperzapper]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment